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L Cn&rles WHHam Debney . declare and state as follows: 

L I reside si Prospect Lodge, Station Road, Kintbuir, BERKSHIRE* RGI? 9UB, llNrtED 
KINGDOM, 

2. i am one of the Inventors listed in U.S. Patom Application No. J L43Q (iieremaftex 
^o:ur appicatiotf ? X which is a National Stage application of Intemational Application No, 
PCT/GB03/0437 1 , filed October 9, 2003, haying apriority date claim of October I ?, 2002. 

3 . I am prm&nily employed ass Head of As^hitectuFC & Imio vatiGB, B usinesa Services, 
¥odalbne Groap PLG, (the assignee of U. S. Patent Application No> 10/531,430), 

4. I received the degree of PhD, from the Obi vemty of SouthatnptoB in 1982, 



5\ I have been active in the desiga >: mgineering, marketing mid manufactumig of devices 
and methods of ladiitatiog and atith^ticatmg transactions since 200 L 

& My experience also imdndes; eMeMive industrial experience In commiiidc&tions and 
software systems since 1 984. 

I psv&n active member of Institution of EtigMee^mg and TechBology (1ST) and British 
Compulmg Society (BCS) ; 

7< I am thus well familiar with the sufej eGt matter of the c laims of the presem ap|>Iicati oij . 

8 < Our invention relates to the fkolh ikikm m& authenticauon otirrnxmcimm > 1b 
embodiments of the mvention, transactions between, a data processing apparatus (such as a 
personal computer), or a user thereof; and a (possibly remote) third party are feeilitated and 
aiJthejiticated, and such facilitation and aothenticstio^ tn&y also involve the fecilitati^n and 
aqlteenticstipn of &p$tymmior data transfer to be made by or on behalf of the user to the third 
W% See: paragraph [OGOlj of our ai^iicati^;^^!!^^ as'.lXS. Patent Application 
Publication No, U S .2006/01 12275 AL 

9; A device according to our Iwenlion, for coxmection to a data processing apparatus, 
imdudes authe?itication storage means operad vely cooplod thereto for storing prede terniloed 
autherjticatiGsi loibnnatloB respective to a mm The authentkatiori storage moans registered 
with a teieeonixm*^ aiithenCkMing mearm and for which the user 

has a teleeommurdeations terminal. The device, wfecn opemtively coupled to the authentication 
storage means, i$ respond ve to m input message for deriving a response dependent on ih e input 
message and on the authentication ki&^BiUfon for Mmbliiig - i:h0 a\?iMi#caimg me^sag to can -y oat 
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an authentication process via a commu#catiof.i link -with the authenticating meam in the 
telecommimkatloiis system whereby to aiif heiitlcate a subsaqoent tmftsaetiori by tils user wi th 
the data p oces^ng apparatus and which involves use of th e data carried by the authentication 
storage means. The procteteminc'd authentication JjaibmratiO-n stored by the authentication 
storage means corresponds to mfbrm^tion which is used to authmtlcato the user registered with 
telecomnmiiieations system in relation to use of thai user's blecomnmmoaikxns. teiiinal in 
the teleoommunioations system. However, the authentication process -.for. mthmlfcmmg the 
trsnsactioB by that user with the data processing apparatus dem not require use of the user's 
telecqmmunicatioBs temiinal sior does it requiie the telecom to be actually 

authenticated by that information in relation to the teicepmmomcatidB^ system-.. Further, the 
device comrois access to the autheMieatton iniammtian. 

10. A method for authenlkatiBg a transaction with & dm processing apparatus, according to 
our indention, km shx#sr features to those described in Mm pmm&hg paragraph, 

1 1 ; In qonjuoetion with this application, I have reviewed and am familiar with UvS, Patent 
No, 5,761309, issued Jtsn£2,. 1998 to QhasM et at, entitled ^AUTl iENTIGATIGN S YSTEM" 
(ihereiniafter 1 'Gha sKi'Or 

12, FIG, 6 of ©haLshi (reproduced below) is a block diagrani sehemati-caily showing an 
embodim ent of ai:rairthen.tlcatlon system of a purported in vention (coh i t , lines 7-9), In the 
%ure y reierenee nametai 10 denotes a smart card provided with a pmpm aiid a file and 
possessed by each itser 1 1 denotes a card reader/wrher for reading informMiori ifem or writing 
MbTOatioh to the smart card 1,0, and 1 2 denotes a efieut ie^Sis^eon^ 
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IX, provided who client side application and aathenti<;atson kemsl, respectively (col. 1 I, lines 
i 0-1 65. 



CLENT TERMNA.L 



SMART CAR; 


REAEER, 







r? 



PROGRAM 



X. NETWORK,,-- 
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APPLICATION 
SERVER 



CAPS) 
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AO T HER T; C A T ::ON 
KEkNEL 




* USER DATA 

* SYSTEM LOG 
» SLACK LIST 

* APS SECRET KEYS 



13. At column 12, lines 1 - 29, Qhmhi ^ates: 

For the card a Pip code has been previously defmed, and this 
defined FIN code has bees stored, mtfce smart card 10, The user 
inputs Ms FIN code through the client tenmnal 12 imo tfee smart 
card 10 so that codicideoee hetween the input MM code and one 
stored in the smart card 10 is checked. This c heck of the P IN code 
is executed by internal operation of the smart card 10. If PIMeode 
input is successively failed three times, the smart card 10 permits 
no more access and thus the antiiemleation procedure terminates. 
Since the memory in die smart card 10 is a nonvolatile storage, the 
number of the past successive PlH input failure will be held Wen if 
the power is oft This storage will be cleared if PIN code check is 
succeeded within successive three times inputs. 



After the smart card 3 0 is activated by local verification between 
the user and the smart card 1 0, authentication processes are earned 
out with following two phase : 



A first phase is request and issuance of a user certificate, in this 
first phase, the user side (smart card 10) requests die AuC I T to 
issue a eertifioaiion information (user certificate) which verifies 
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him.. The issued- user certificate which has a valid period is stored 
in the smart card 10. Prior to accessfeg the AuC 17, the user side 
(smart card 10 or client temima! 12) corfiniis the validity of the 
already ohtairied user eertiileate. AslOBg-as the user certificate is 
valid rhe ;.aiif'hmtfcatio'n processes can he jumped to a next second 
phase without accessing the AbC 17. This causes, throughput in the 
AuC 17 to decrease. 



14. I umi&nimd. that the Exanhner has character^ ed the pa ssage of Ghashi at column 12,. 
lines 1-29 as a disclosure of %mibhng the authentlcaiiorrmearia to carry out an autlieKtieatioe 
process < ... to aatheiitie : ate;;B s:ub^psrtt iraasactio^ by the user with the data processing 
apparatus - v,/ 5 as reeded in the claims of our application, However, this characterization is not 
accurate, Ratirer, thedted ^ by which a 
client texinioa! (e..g, ? a tefeco:mmunication handset) checks that the user has input a PIN that 
matches the PIN stored ou a sm^icard/SIM, The scenario set out in Ohashi is thus entirely 
different than the suhfect matter of our invention aud would not fell within the scope of a 
transaction- • as recited in the elaisris of our applkaliorL 

15. I hereby state ih&tjpl sta temeps made herein based on my own personal Imowiedge are 
■tea*? ami correct and that all statements based on my irilbi mMion and belief arc true m& correct to 
the best of my knowledge, and further that all of these statemems have been ttxaxie with the 
teowledge that wili&i felse statement md the like so made a^e puiiishahle by fm® or 
fefm6i«M, or both, under Section J 001 of Title 18 of the United States Code and that such 
willful false statements may jeopardize the validity of the present application. 

? • . 




Date 
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